1. Field of the Invention
The present invention relates to providing security on database servers. More specifically, the present invention relates to a method and an apparatus for sharing a security context for a client between different sessions on a database server, wherein the security context is used enforce access rights on the database server.
2. Related Art
Many computer systems are presently built around a multi-tier architecture in which client machines in a client tier communicate with application servers in an application tier. These application servers in turn communicate with database servers in a database tier. This type of multi-tier architecture can scale to provide large amounts of computing power for applications that must process large volumes of traffic, such as heavily used web sites or enterprise computing systems.
In multi-tier architectures, security is typically enforced in the application tier. Users operating on client machines typically authenticate themselves to an application on an application server, which is responsible for maintaining client connections. This application typically uses a single identity to log into a database server in the database tier. Hence, all database requests originating from all of the client connections are channeled through the same application identity into the database server. Consequently, the database server must rely on the application to enforce security for client connections.
Instead of blindly relying on the application to enforce security, it is preferable to enforce security at the database server. However, there are a number of problems in doing so.
A given user may try to access a database through different connections with the database. For example, in a connection pooling arrangement, an application channels requests generated by a large number of users through a smaller number of connections with the database server. Hence, a given database connection handles requests for many users, and requests from a given user can be channeled through any one of the connections with the database server.
In another example, a given user may access the database through both a first application and a second application. In this case, the second application has no idea what type of access rights the first application has granted to the user. It is possible for the application developers for the first application and the second application to implement some type of ad hoc communication and synchronization mechanism between the first application and the second application in order to share security information for users. However, doing this requires a great deal of additional programming, and the developers must be very careful about how security information is communicated between applications.
In order to overcome the above-listed problems, what is needed is a method and an apparatus for efficiently sharing client-specific security information between different sessions on a database server.